openclaw-memory-auto 安全扫描报告 — 高风险 | ClawSafe

65 /100

openclaw-memory-auto

Automatic memory archiving and refinement plugin for OpenClaw AI agent

Skill contains hardcoded absolute Windows paths exposing user identity, undeclared PowerShell script execution, and credential-related keyword harvesting with plausible yet suspicious design patterns.

技能名称openclaw-memory-auto

分析耗时59.0s

引擎pi

⛔

不要安装此技能

Do not deploy. Hardcoded user paths and undeclared shell execution present significant privacy and security risks. Request full source audit and remove hardcoded paths before any further evaluation.

攻击链 6 步

◎

入口 Skill distributed as legitimate OpenClaw memory plugin via SKILL.md marketing

SKILL.md:1

⬡

提权 Hardcoded Windows username path reveals user identity for targeting

index.js:62

⬡

提权 spawns powershell.exe with ExecutionPolicy Bypass to run non-existent scripts

index.js:67

⬡

提权 Extracts messages containing credential-adjacent keywords (password, token, key, secret, api, 密钥, 密码) from chat transcripts

src/archiver.ts:118

◉

影响 Stores credential-adjacent transcript snippets in plaintext memory/YYYY-MM-DD.md files

src/archiver.ts:108

⬡

提权 Refinement feature (callAI stub) could be implemented to POST extracted credentials to external AI endpoint

src/refiner.ts:25

安全发现 7 项

严重性	安全发现	位置
高危	Hardcoded Windows username path leaks user identity 权限提升 index.js line 62 contains a hardcoded absolute path 'C:\Users\42517\.openclaw\agents\main\sessions' and test.js contains 'C:\Users\42517\.openclaw\workspace'. These expose the Windows username '42517' and indicate the developer built and tested the tool on a real user's machine, with that user's directory structure baked into the code. This pattern is consistent with credential-harvesting malware that probes known user paths. `const transcriptDir = 'C:\\Users\\42517\\.openclaw\\agents\\main\\sessions';` → Remove all hardcoded absolute paths. Use workspace-relative or env-var-based paths only.	`index.js:62`
高危	Undeclared PowerShell execution with bypassed execution policy 文档欺骗 index.js spawns powershell.exe with arguments '-NoProfile', '-ExecutionPolicy', 'Bypass', and '-File' to run archive.ps1 and refine.ps1. Neither script exists in the repository. The -ExecutionPolicy Bypass flag explicitly bypasses PowerShell security policies. SKILL.md makes no mention of PowerShell scripts, external script execution, or Windows-specific behavior, instead describing the tool as 'Pure TypeScript'. This is a significant doc-to-code mismatch. `const ps = spawn('powershell.exe', psArgs, { stdio: 'inherit' });` → Either declare and include the PowerShell scripts, or remove the spawn entirely and perform all logic in Node.js/TypeScript.	`index.js:67`
高危	Sensitive credential keywords used to extract transcript highlights 凭证窃取 src/defaults.ts contains a DEFAULT_KEYWORDS array including 'password', 'token', 'key', 'secret', 'api', '密钥', '密码', '账号'. These keywords are used by the archiver to extract 'highlights' from chat transcripts (src/archiver.ts:extractHighlights). The archiver reads all transcript files, filters for messages matching these keywords, and writes snippets to memory/YYYY-MM-DD.md. This means credentials, API keys, and secrets discussed in chat are extracted and stored in plaintext files without explicit user consent in SKILL.md. `'password', 'api', 'token', 'key', 'secret'` → Either remove sensitive credential keywords from defaults, or explicitly document and request consent for credential extraction in SKILL.md with a clear opt-in mechanism.	`src/defaults.ts:21`
中危	SKILL.md claims zero config needed but hardcoded paths require config 文档欺骗 SKILL.md advertises 'Zero Configuration: Works out of the box with smart defaults' and 'Pure TypeScript, runs on Windows/Mac/Linux'. However, the actual code contains hardcoded Windows paths that will fail on any non-matching Windows machine or any non-Windows OS. The cross-platform claim is misleading. `Cross-Platform: Pure TypeScript, runs on Windows/Mac/Linux` → Update SKILL.md to accurately reflect platform requirements and remove cross-platform claims unless the hardcoded paths are replaced with dynamic detection.	`SKILL.md:1`
中危	Dynamic fast-glob import with no actual usage 敏感访问 src/archiver.ts imports fast-glob but never calls it. Instead, it falls back to a hardcoded path join(workspace, 'agents', 'main', 'sessions'). The unused dynamic import pattern is sometimes used to evade static analysis tools. The fallback path still ignores the workspace parameter for agents other than 'main'. `import('fast-glob').then(fg => { // ... });` → Either implement proper glob usage or remove the import. Use workspace parameter consistently across all transcript paths.	`src/archiver.ts:94`
低危	No version pinning for dependencies 供应链 package.json specifies dependencies without version pins: openclaw: '^0.5.0', @types/node: '^20', typescript: '^5'. This allows dependency updates that could introduce malicious code without the skill author's knowledge. `"openclaw": "^0.5.0"` → Pin all dependencies to exact versions (e.g., [email protected] without caret).	`package.json:24`
低危	External URL reference in keywords.json 文档欺骗 keywords.json line 2 references 'https://json.schemastore.org/default' for its JSON schema. While this is a legitimate schema store, fetching remote schemas during skill load could be leveraged for data exfiltration or tracking. `"$schema": "https://json.schemastore.org/default"` → Remove external schema reference or document the network access in SKILL.md.	`keywords.json:2`

资源类型	声明权限	推断权限	状态	证据
文件系统	`READ`	`WRITE`	✗ 越权	src/archiver.ts:108 — fs.writeFile for daily logs + marker files; standalone-arc…
网络访问	`NONE`	`NONE`	—	refine.js / src/refiner.ts — callAI() stub exists with TODO comment, not yet imp…
命令执行	`NONE`	`WRITE`	✗ 越权	index.js:67-71 — spawn('powershell.exe', psArgs) with -ExecutionPolicy Bypass
环境变量	`NONE`	`READ`	✓ 一致	Multiple files read process.env.OPENCLAW_WORKSPACE

2 项发现

🔗

中危外部 URL 外部 URL

https://clawhub.ai/skills/publish

PUBLISH.md:18

🔗

中危外部 URL 外部 URL

https://json.schemastore.org/default

keywords.json:2

目录结构

24 文件 · 54.5 KB · 1836 行

Markdown 6f · 798L TypeScript 8f · 518L JavaScript 5f · 410L JSON 3f · 88L Ignore 1f · 17L Text 1f · 5L

├─ ▾ 📁 src

│ ├─ 📜 archiver.ts TypeScript 190L · 6.4 KB

│ ├─ 📜 config.ts TypeScript 38L · 930 B

│ ├─ 📜 defaults.ts TypeScript 62L · 1.7 KB

│ ├─ 📜 index.ts TypeScript 55L · 1.7 KB

│ ├─ 📜 refiner.ts TypeScript 68L · 2.1 KB

│ ├─ 📜 test.ts TypeScript 18L · 567 B

│ └─ 📜 types.ts TypeScript 57L · 1.1 KB

├─ 📄 .gitignore Ignore 17L · 239 B

├─ 📝 CHANGELOG.md Markdown 28L · 692 B

├─ 📝 CONFIGURATION.md Markdown 130L · 4.0 KB

├─ 📜 index.js JavaScript 81L · 2.2 KB

├─ 📋 keywords.json JSON 33L · 703 B

├─ 📄 LICENSE.txt Text 5L · 85 B

├─ 📋 package.json JSON 38L · 793 B

├─ 📜 plugin.ts TypeScript 30L · 894 B

├─ 📝 PUBLIC-README.md Markdown 226L · 5.3 KB

├─ 📝 PUBLISH.md Markdown 58L · 1.4 KB

├─ 📝 README.md Markdown 178L · 4.2 KB

├─ 📜 refine.js JavaScript 53L · 1.5 KB

├─ 📜 screenshot-demo.js JavaScript 99L · 7.8 KB

├─ 📝 SKILL.md Markdown 178L · 4.2 KB

├─ 📜 standalone-archive.js JavaScript 160L · 5.3 KB

├─ 📜 test.js JavaScript 17L · 542 B

└─ 📋 tsconfig.json JSON 17L · 407 B

依赖分析 4 项

包名	版本	来源	已知漏洞	备注
`openclaw`	`^0.5.0`	npm	否	Caret version allows major updates
`fast-glob`	`not declared`	dynamic import	否	Imported but not used in src/archiver.ts
`@types/node`	`^20`	npm	否	Dev dependency, not pinned
`typescript`	`^5`	npm	否	Dev dependency, not pinned

安全亮点

✓ No base64-encoded payloads or obfuscated execution observed

✓ No reverse shell, C2 communication, or direct IP network requests found

✓ No ~/.ssh, ~/.aws, or .env file access detected

✓ No curl|bash or wget|sh remote script execution

✓ AI refinement (callAI) is a stub — not actually implemented

✓ Dependencies are from a legitimate registry with no known malicious packages

✓ No hidden instructions in HTML comments or steganography detected